Compliance: A Framework For Success

Editor:Would you tell our readers something about your
professional experience?

Ewing: We've been providing consulting services to Chief Legal
Officers and the Office of General Counsel for over a decade on a variety of
strategic and operational issues. Our clients are typically large S&P 500
companies, spanning many industries. We like to think of ourselves as business
people who understand legal, and we have deep backgrounds in strategy,
organizational design, process, technology and financial analysis. Some of our
recent client experiences include designing and implementing compliance
infrastructure in organizations; combining law departments of companies engaged
in a merger; centralizing law department operations for large multinational
organizations; and implementing technology tools that help our clients manage
the effectiveness of the legal function.

Editor: How did you come to Standard & Poor's?

Kral: Our backgrounds include large accounting and consulting firms.
We were intrigued by Standard & Poor's strategy of enhancing its Corporate
Value Consulting practice with seasoned specialists. We were particularly
attracted by the opportunity to be part of an organization that represents the
best analytical skills in the world. Our clients understand that everything we
do must be accurate, thorough, and grounded in a strong fact base.

Ewing: Corporate Value Consulting, or CVC, has been a leading provider
of independent and objective advice and analysis for over 35 years. CVC combines
financial and industry expertise with proven methodologies to help solve complex
business problems and meet market and regulatory requirements. CVC understands
that proper analysis requires a keen understanding of the rules. This is
critical to our work with CLOs. In addition to our legal management and
technology consulting, CVC provides many other services.

Our dispute consulting and forensic advisory practice includes professionals
who have testified as experts in such areas as commercial and shareholder
disputes, bankruptcy, intellectual property and business insurance. We also have
a strong forensic computing, e-discovery and records management team. Our
corporate finance professionals provide services such as due diligence, fairness
opinions, and complex financial modeling. Other core valuation services include
those for financial reporting and tax purposes, including the valuation of fixed
assets, intangibles and real estate. Our legal management and technology
consulting team is an important part of CVC because our client, the CLO, is
integral to all the services that CVC offers. As the CLO's scope of
responsibility continues to expand, and risk and compliance takes on even
greater importance across the entity, so too does the value of CVC's
contribution.

Editor: The two of you have spent many years dealing with legal
departments and their compliance issues. In recent years compliance strategies
have taken on an urgency that may not have been present in the past. Why?

Kral: In the past, compliance was mostly about training, putting a
manual on a shelf and checking the box. Today, the stakes are much higher, as
senior management and the board have exposure to both personal and criminal
liability in the event of an unanticipated loss in shareholder value. It is not
just new regulations, like Sarbanes-Oxley, that have triggered this dramatic
change. The intense scrutiny on money laundering, for example, following 9/11
has resulted in the need for major changes across the entire financial services
industry. Every company must recognize that the old rules no longer apply. For
multinational organizations these challenges are even more complex, as the legal
and regulatory frameworks operate at different speeds and often have different
objectives. A fully integrated compliance initiative requires a transformation
in corporate culture.

Editor: Until the recent corporate scandals, assessing corporate risk and
building compliance strategies were something of an afterthought in corporate
America. Senior management and even the governing board had a primary focus on
operations. That has changed dramatically. Will you share with our readers how
CVC goes about establishing a compliance strategy from the ground up?

Ewing: The way we begin with our clients is to help them define what a
compliance transformation means, especially in its leadership commitment. First,
compliance today is about changing the way people view risk, regulation, and
communication. The key to changing corporate culture is to communicate that
compliance is everyone's responsibility.Executives must enable an
open door process that encourages people to ask "is this right?" at all levels
of the company. For this to take place, the board, executive management, risk
officers and CLOs must be fully engaged. Compliance organizations must have a
robust communication plan relying on multiple channels that keep risk issues
front and center.

Second, companies should not focus exclusively on interpreting regulations,
but also on developing business conduct and ethical standards and building
compliance around these standards. For example, take the recent outbreak of
privacy issues in the news. With major exceptions such as California law, there
are few domestic requirements around privacy. Of course, that has not limited
the damage to company reputations when these breaches have occurred. The bottom
line is that companies that are proactive in building their compliance programs
will be prepared for increased legislation.

Third, we encourage a systematic, proactive, end-to-end approach to
compliance through application of a continuous cycle framework. Our framework is
collaborative. It requires commitment from the top and accountability throughout
the enterprise. Components of the framework include;

1. Identify and Evaluate Corporate Risk. This entails testing the
current risk environment, including legal, operational, reputational, and
financial risk. Our goal is to isolate risk, understand existing controls and
prioritize to eventually allocate resources. The result is a entity-wide risk
map that is ranked against specific criteria.

2. Set Policy. This is where you start to get into the meat of the
program. Policies are developed that match the requirements with the operating
environment. During this process, the standard for corporate behavior begins to
emerge and take shape.

3. Embed Policy. First you set policy, and then you must embed policy
via education, communication, accountable parties and appropriate use of
technology. The goal is to encourage and reward behavior consistent with the
objectives. Initiatives often necessitate changes in business processes,
documentation, and creation of new controls, and incorporate creative education
at every step. The full education toolkit should consider top ten lists,
frequently asked questions, handbooks, use of technology and other creative
means to making compliance accessible.

4. Monitor. This includes both day-to-day monitoring of the compliance
environment and active periodic monitoring of the program. The former should be
supported by processes and systems that alert business units and/or the
compliance function to emerging issues. Periodic monitoring should include an
assessment of overall program compliance and of effectiveness. Think of this as
an audit process that must be repeated on a regular basis with a similar
priority and rigor. It is not only essential that people embrace the program -
it must be effective. Metrics must be developed which demonstrate achievement of
expectations. Reviews by law firms of specific programs are generally necessary.

5. Investigate. This is the continuous process employed when
monitoring identifies issues requiring further scrutiny and corrective actions
or modifications. All policies should have a clear escalation process.

6. Report. Reporting is mandatory, critical and should cover
regulatory disclosures, effectiveness of the program, significant issues
uncovered, the status of implementation of corrective actions, and new risks. It
must be broad and deep because everyone has a role and they must know their
performance within the program.

The beauty of the framework is that it requires both executive level and
enterprise-wide commitment and accountability, is flexible and timely by design,
opens both top down and bottom up channels of communication, mandates
measurement and facilitates a continuous cycle of improvement.

Editor: Would you say that an effective compliance program is dependent on
the tone that is set at the top?

Ewing: We cannot overstate the importance of strong corporate
leadership in the compliance process. This means that executives are fully
integrated into the process, commit the funds to build the infrastructure and
actively participate in the success of the program.

Editor: How does CVC assess compliance risks from one client to the
next?

Ewing: Each client is different, yet all clients share certain
similarities. Although our framework works across all industries, we leverage
our industry specialists to ensure we capture and assimilate the industry
challenges into our risk identification. We apply a systematic process by which
an organization reviews and comes to understand the potential risks it faces.
Regardless of the risk, we assess the magnitude of the risk - criminal
penalties, fines, reputation, losses and so on - and the level of control
currently in place to mitigate the risk. Evaluating these two elements helps our
clients get a better understanding of their full risk portfolio, develop action
plans and allocate resources to appropriately address each risk.

Editor: Please tell us about the role technology plays in the services CVC
brings to its clients.

Kral: Technology is a valuable tool, but by itself it is never a
complete solution. We help our clients utilize technology to measure and monitor
risks. For example, creating a single repository and tickler system for periodic
obligations helped one client gain comfort that its consent decrees were being
appropriately addressed. Technology can also be a tremendous tool in support of
communicating messages and giving the enterprise access to important compliance
resources.

Of course, technology is also driving compliance risk. Companies will need to
improve their ability to manage electronic communications, especially those that
contain personal and sensitive data. Proactive testing of electronic data needs
to be considered. Because communication management has become so critical in
today's environment, an electronic communication initiative is an important part
of any compliance program.

Editor: Compliance is an ongoing challenge. Once a program is in place,
how do you go about helping clients resist the onset of complacency?

Ewing: Firms need to be cautious about the Hawthorne Effect. Behavior
changes for an initial period, when a new compliance program is begun, but
people revert to their old habits once the attention shifts. A catalyst for
vigilance is the potential for criminal liabilities, financial losses, and
erosion of corporate citizenship. Our approach of continuous improvement keeps
the enterprise focused. Compliance programs should be reviewed and signed off
every year, similar to an audit.

Editor: Is there a single best practices model for compliance?

Kral: Although a number of models exist and more are evolving, a
standard has not emerged. Of course, organizations should at a minimum look to
incorporate the elements outlined in the 2004 Revised Federal Sentencing
Guidelines.

Organizationally, the formal compliance function most commonly resides within
the CLO's organization. The logic of this model is that the CLO usually has
responsibility in the event of an infraction, so having compliance in the CLO's
organization creates accountability for preventing it in the first place.
Nevertheless, no single function can administer the program in a vacuum.
Accountability for the implementation and daily administration of initiatives
needs to be vested within the business units where the compliance risk exists. A
formal compliance function should support and monitor these efforts and bring a
centralized, coordinated view of compliance to the enterprise and the board.

Lastly, when funding compliance programs, "an ounce of prevention is worth a
pound of cure" could not be truer. Although the compliance function may not
generate revenue, if the program is implemented appropriately, it will be a
prudent investment with significant
returns.